Within the age of hybrid and distant work, distant entry is a strong enabler for organizations, permitting workers, contractors, enterprise companions, distributors and different trusted events to entry firm sources. But, distant entry will increase cybersecurity danger. It inadvertently supplies comparatively easy-to-compromise entry factors into inner networks and techniques — entry factors that attackers know to hunt out and exploit.
The next are 10 vital safe distant entry finest practices, find out how to implement them and the way they enhance a corporation’s cybersecurity posture and scale back danger.
Have a distant entry coverage
The inspiration of any distant entry implementation is a complete distant entry coverage. The coverage ought to outline the high-level necessities governing safe distant entry, together with acceptable use, and specify the potential penalties of violating any of these necessities. The coverage ought to handle the next subjects, at minimal:
The types of distant entry that the group permits, akin to VPNs.
The forms of units that may use every distant entry kind — for instance, organization-issued laptops versus personally owned smartphones — and some other necessities these units should meet.
The forms of sources that can be utilized by means of distant entry, with any limitations for explicit distant entry types or system varieties.
Any necessities for acceptable use of distant entry applied sciences that aren’t already addressed within the group’s acceptable use coverage.
Present organization-issued units for distant customers every time possible
For years, BYOD — the place customers introduced their very own computer systems and cell units to entry the group’s sources — was an enormous pattern. BYOD enabled telework for a lot of customers, however endpoint safety suffered because of this. The group may strictly management the safety posture of its personal units, however had restricted skill to regulate and even monitor the safety of personally owned units and different forms of BYOD.
To keep away from this hole in safety, equip distant customers with firm units every time possible. This could embrace contractors and, in some circumstances, enterprise companions and distributors. Eradicate or strictly restrict BYOD to customers who want solely entry to low-risk, publicly accessible sources.
Require use of a distant entry server for inner sources
VPNs have anchored distant entry servers for many years. A VPN supplies a single, well-secured and monitored level of entry that enforces safety insurance policies on the customers and units trying to make use of it.
Most VPN applied sciences present a spread of cybersecurity options, from authenticating customers and units to assessing system safety posture earlier than allowing entry to inner sources. That is extremely handy for each customers and directors. The choice can be for customers to entry every inner useful resource immediately and individually, with directors having to handle and monitor each step within the course of.
Lately, VPN options have emerged, together with safe entry service edge (SASE) and zero-trust community entry (ZTNA). Most organizations want a minimum of one among these distant entry applied sciences carried out to safeguard entry to inner sources. Utilizing a single VPN, SASE or ZTNA occasion to entry all sources may be difficult as a result of many sources are cloud-based and publicly accessible. A standard instance is utilizing SaaS to host e-mail companies. If an worker solely must entry e-mail remotely, forcing them to attach by means of an equipment at headquarters may be cumbersome and inefficient. Alternate options are to allow direct entry to low-risk cloud-based sources or to make use of cloud-based distant entry companies along side, or as an alternative of, on-premises distant entry home equipment and software program.
Carry out cyber well being checks on person endpoints
One of many largest dangers posed by distant entry is compromised person units. As soon as exploited, these units present attackers with direct entry to and management over the group’s inner networks and techniques.
One of many largest dangers posed by distant entry is compromised person units. As soon as exploited, these units present attackers with direct entry to and management over the group’s inner networks and techniques.
To fight this, test customers’ endpoints for any compromises earlier than they’re permitted to make use of inner sources. VPN, SASE and ZTNA routinely carry out cyber well being checks on organization-issued units and, to a lesser extent, on some BYOD units.
Cyber well being checks ought to assess the next, relying on the endpoint’s OS:
If the endpoint is managed by the group or is authorised for BYOD use.
If the OS is updated.
If antimalware software program is working and is updated.
If some other required safety instruments or configurations, akin to host-based firewall guidelines, are enabled and correctly configured.
That there aren’t any indicators of malware, exploit kits or different assault instruments on the endpoint.
Require MFA
Passwords alone are extremely dangerous. An attacker can purchase a password by means of social engineering, phishing, guessing, performing brute-force assaults or reusing a compromised password from one other account of the identical person. With out verifying a second authentication issue that isn’t additionally “one thing you already know,” attackers who know any person’s password may simply bounce into the group’s inner community.
Require MFA for distant entry to inner sources and, if possible, require it for distant entry to public-facing sources. MFA, particularly when linked to single sign-on, simplifies the authentication course of for customers whereas additionally offering a a lot larger degree of assurance that the person is who they declare to be. MFA would not have to incorporate a password, and most customers can be thrilled to scale back or decrease their use and administration of passwords.
Encrypt all community communications from finish to finish
All distant entry community site visitors ought to be encrypted from finish to finish. VPN, SASE and ZTNA distant entry applied sciences safeguard the confidentiality and integrity of community site visitors transmitted between their platforms and person endpoints. But, these platforms do not essentially defend the community site visitors because it passes between distant entry applied sciences and the techniques and networks behind these frameworks.
Assessment community site visitors flows related to distant entry, determine any communications passing unencrypted and decide which of these communications want safety. Guarantee the required safety is put into place. That is most relevant to VPNs, which not often prolong safety previous the VPN server itself. There are lots of choices, together with utilizing proxy servers, to encrypt site visitors between the VPN and inner sources, and encrypting inner community segments at a low degree to maybe eradicate the necessity for higher-level encryption.
Think about implementing a zero-trust structure
Zero-trust structure is the precept of limiting entry as tightly as potential. Because the identify implies, zero belief verifies that folks and units are reliable as an alternative of assuming they’re.
Zero-trust structure includes quite a few applied sciences working carefully collectively to implement zero belief all through your complete enterprise. ZTNA, though not required for a zero-trust structure, is a useful element, however many different items are additionally wanted — and so they have to be built-in and configured correctly.
Transitioning to a zero-trust structure typically takes years of planning and element rollouts earlier than your complete structure may be absolutely built-in and all insurance policies enforced. Organizations contemplating utilizing a zero-trust structure to safe their distant entry want to make use of different means to safe the distant entry till the zero-trust structure is totally deployed and working in manufacturing.
Practice all distant entry customers on safe distant entry practices
Educate all distant entry customers in regards to the significance of distant entry safety to scale back the chance of actions that would compromise the group. Retrain customers as distant entry applied sciences and practices change. Supply periodic refreshers even when practices have not modified considerably.
Consumer coaching isn’t just for workers; it is also important for contractors, enterprise companions, distributors and anybody else who makes use of the group’s distant entry applied sciences. Coaching ought to cowl each bodily and technical safety practices. For instance, advise customers to by no means depart unlocked units unattended in public areas, to deactivate private assistants like Alexa and Siri throughout delicate conferences and calls, and to by no means allow any family member to make use of the organization-issued pc or cell system.
Prohibit who can use distant entry
It is typically not prudent to routinely give everybody within the group distant entry. Until distant entry is really wanted, making it out there to further individuals will increase the danger with out offering a profit.
Solely present distant entry to these customers who want it to carry out their duties, and solely achieve this after they’ve been skilled on safe distant entry practices and have learn and signed the group’s distant entry coverage.
If potential, assign a separate person account to every particular person as an alternative of allowing shared distant entry accounts. This may very well be notably difficult for distributors and different third events that want distant entry however haven’t got a particular particular person or small group performing these duties. Having a separate account for every particular person will increase accountability.
Revoke distant entry as soon as it’s not wanted, particularly if somebody leaving the group is below detrimental circumstances, akin to termination for trigger. Distant entry is typically misused by disgruntled customers after they depart the group to exfiltrate information, injury sources and trigger outages, amongst different penalties.
Constantly monitor all distant entry exercise
It would not matter if a corporation adopts these safe distant finest practices if it would not additionally repeatedly monitor all distant entry servers and all of the exercise involving these servers. As a result of these servers are key entry factors into the group, they’re apparent targets for attackers. Their safety is paramount.
At all times monitor all distant entry servers utilizing safety applied sciences and guarantee human analysts can be found to intervene instantly within the occasion of a possible assault or suspicious exercise. Fastidiously monitor and analyze the distant entry exercise itself to determine anomalies and different indicators of compromise. For instance, if a specific person makes an attempt to attach from a far-flung nook of the world just some hours after she was current at headquarters, it is a robust indication that the account may need been compromised. Or if a person begins downloading massive volumes of recordsdata from inner servers onto his laptop computer, this might point out an insider menace exfiltrating information or an attacker utilizing a compromised laptop computer to reap delicate info from inner techniques. Both means, sudden exercise requires additional investigation so it may be stopped as quickly as potential — particularly if it is malicious.
Karen Kent is the co-founder of Trusted Cyber Annex. She supplies cybersecurity analysis and publication companies to organizations and was previously a senior pc scientist for NIST.
